Today we are releasing Grafana 9.1.2, 9.0.8, 8.5.11, 8.4.11, 8.3.11 and Grafana Image Renderer 3.6.1. This patch release includes a HIGH severity security fix for CVE-2022-31176 that affects Grafana instances which are using Grafana Image Renderer plugin.
Grafana Imager Renderer release, also containing security fix:
Release 9.1.2, latest patch, also containing security fix:
Release 9.0.8, latest patch, also containing security fix:
Release v8.5.11, only containing security fix:
Release v8.4.11, only containing security fix:
Release v8.3.11, only containing security fix:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is also applicable to Amazon Managed Grafana.
Unauthorized file disclosure (CVE-2022-31176)
Summary
On July 21 an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used.
The Chromium browser embedded in the Grafana image renderer allows for ‘printing’ of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource (if the user has admin permissions in Grafana). This vulnerability permits unauthorized file disclosure and is a potential DoS vector through targeting of extremely large files.
The CVSS score for this vulnerability is 8.3 High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H) for Grafana instances using Grafana Image Renderer plugin with HTTP remote rendering.
Impacted versions
All Grafana installations with the Grafana Image Renderer plugin used with HTTP remote rendering are affected by this vulnerability.
Solutions and mitigations
All Grafana installations and the Grafana Image Renderer plugin should be upgraded as soon as possible by following all the steps below. They are only required if you are using the Image Renderer plugin with HTTP remote rendering.
- Upgrade your Grafana instance
- Upgrade your Image Renderer docker image with the Docker image
grafana/grafana-image-renderer:3.6.1
- In the rendering section of Grafana configuration file, define a strong secret in
renderer_token
- Configure the same secret for the Image Renderer either via an environment variable called
AUTH_TOKEN
or by adding auth_token
config key in the [plugin.grafana-image-renderer]
section of Grafana config.
- Restart your Grafana instance
- Restart your Image Renderer docker image
If you can’t upgrade, as a workaround it is possible to disable HTTP remote rendering, or stop using Grafana Image Renderer plugin entirely.
Appropriate patches have been applied to Grafana Cloud.
Timeline
Here is a detailed timeline starting from when we originally learned of the issue.
- 2022-07-21: Internal security researcher discovers the vulnerability and creates the initial report.
- 2022-07-21: The vulnerability is confirmed.
- 2022-07-22: Temporary mitigation is applied to Grafana Cloud.
- 2022-07-22: Root cause is determined and started working on a fix.
- 2022-08-11: Security fix determined and root cause mitigated.
- 2022-08-11: Release timeline determined: 2022-08-17 for private customer release, 2022-08-30 for public release.
- 2022-08-17: Private release.
- 2022-08-30: Public release.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
Today we are releasing Grafana 9.1.2, 9.0.8, 8.5.11, 8.4.11, 8.3.11 and Grafana Image Renderer 3.6.1. This patch release includes a HIGH severity security fix for CVE-2022-31176 that affects Grafana instances which are using Grafana Image Renderer plugin.
Grafana Imager Renderer release, also containing security fix:
Release 9.1.2, latest patch, also containing security fix:
Release 9.0.8, latest patch, also containing security fix:
Release v8.5.11, only containing security fix:
Release v8.4.11, only containing security fix:
Release v8.3.11, only containing security fix:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is also applicable to Amazon Managed Grafana.
Unauthorized file disclosure (CVE-2022-31176)
Summary
On July 21 an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used.
The Chromium browser embedded in the Grafana image renderer allows for ‘printing’ of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource (if the user has admin permissions in Grafana). This vulnerability permits unauthorized file disclosure and is a potential DoS vector through targeting of extremely large files.
The CVSS score for this vulnerability is 8.3 High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H) for Grafana instances using Grafana Image Renderer plugin with HTTP remote rendering.
Impacted versions
All Grafana installations with the Grafana Image Renderer plugin used with HTTP remote rendering are affected by this vulnerability.
Solutions and mitigations
All Grafana installations and the Grafana Image Renderer plugin should be upgraded as soon as possible by following all the steps below. They are only required if you are using the Image Renderer plugin with HTTP remote rendering.
grafana/grafana-image-renderer:3.6.1
renderer_token
AUTH_TOKEN
or by addingauth_token
config key in the[plugin.grafana-image-renderer]
section of Grafana config.If you can’t upgrade, as a workaround it is possible to disable HTTP remote rendering, or stop using Grafana Image Renderer plugin entirely.
Appropriate patches have been applied to Grafana Cloud.
Timeline
Here is a detailed timeline starting from when we originally learned of the issue.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.